Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Computer Forensics: File Deletion and Password Cracking Techniques, Exams of Nursing

A comprehensive overview of file deletion and password cracking techniques commonly used in computer forensics investigations. It explores how files are deleted in different windows operating systems, including fat and ntfs file systems, and the methods used to recover deleted files. The document also delves into various password cracking techniques, such as brute force, dictionary, and rainbow attacks, and discusses tools used for password recovery. It further examines anti-forensics techniques, including file deletion, steganography, and trail obfuscation, and highlights the importance of implementing countermeasures to combat these techniques. The document concludes with a discussion of tools and techniques for gathering information about logged-on users, open files, and network information.

Typology: Exams

2024/2025

Available from 12/31/2024

kelvin-smith-3
kelvin-smith-3 🇺🇸

718 documents

Partial preview of the text

Download Computer Forensics: File Deletion and Password Cracking Techniques and more Exams Nursing in PDF only on Docsity!

CHFI PRACTICE EXAM Questions with

100% Verified Answers Latest Updates

2024 GRADED A+

Windows: When a user deletes a file, the OS does not actually delete the file, it - ✔✔marks the file name in the Master File Table (MFT) with a special character. This character represents that the space once occupied by the file is ready for use FAT - The OS replaces the first letter of the deleted filename with - ✔✔E5H, Corresponding clusters of that file are marked unused, even though they are not empty. Until these clusters are overwritten, the file can still be recovered Deleted files in NTFS - The OS marks the index field in the MFT with a special code. - ✔✔The computer now looks at the clusters occupied by that file as being empty. Until these clusters are overwritten, the file can be recovered Recycle Bin - ✔✔A place to store files that are marked for deletion. The exceptions are large files and files from removable media Setting Windows registry key "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate" to 1 - ✔✔disables updating of the last-accessed timestamp What Happens When a File is Deleted? Windows 98 and earlier (FAT) - ✔✔- C:\Recycled (4GB limit

  • Files are named Dxy.ext o x is drive o y is sequence number (0-??) o ext is original extension
  • For the first document file deleted on C: drive would be: Dc0.doc What Happens When a File is Deleted? Windows 2000, XP, NT (NTFS) - ✔✔- C:\Recycler\S- (based on windows SID) What Happens When a File is Deleted? Windows Vista, 7,8, and 10 - ✔✔- C:$Recycle.Bin
  • Files are named $Ry.ext o y is sequence number o ext is original extension
  • For the first document file deleted on C: drive would be: $R0.doc What Happens When a File is Deleted? When a user deletes a file or folder, the OS stores all the details of the file such as its complete path, including the original file name, - ✔✔in a special hidden file called "Info" or "Info2" in the Recycle Bin folder What Happens When a File is Deleted? In Windows newer than Vista and XP, the OS stores the complete path and file or folder name - ✔✔in a hidden file called INFO What Happens When a File is Deleted? INFO2 contains various details of deleted files such as: - ✔✔original file name, original file size, the date and time of deletion, unique identifying number, and the drive number that the file came from Privacy Eraser - ✔✔an anti-forensic solution to protect the privacy of the user by deleting the browsing history and other computer activities. The software implements and exceeds the US Department of Defense and NSA clearing and sanitizing standards, giving you the confidence that once erased, your file data is gone forever and can never be recovered Brute Force Attack - ✔✔the attacker tries every possible combination of characters until the correct password is found including using different hashes for encrypted passwords Dictionary Attack - ✔✔a file is loaded into the cracking application that runs against user accounts. The program

uses every word present in the dictionary file to find the password. Dictionary attacks can be considered more useful than brute force attacks, although they do not work against systems that use passphrases Syllable Attack - ✔✔the combination of both a brute force attack and a dictionary attack. This is often used when the password is a nonexistent word. The attacker takes syllables from dictionary words and combines them in every possible way to try to crack the password Rule-Based Attack - ✔✔This type of attack is used when an attacker already has some information about the password. He or she can then write a rule so that the password-cracking software will generate only passwords that meet this rule. For example, if the attacker knows that all passwords on a system consist of six letters and three numbers, he or she can craft a rule that generates only these types of passwords. This is considered the most powerful attack Hybrid Attack - ✔✔This type of attack is based on the dictionary attack and brute force. Often, people change their passwords by just adding numbers to their old passwords. In this attack, the program adds numbers and symbols to the words from the dictionary. For example, if the old password is "system", the user may have changed it to "system1" or "system2." Password Guessing - ✔✔Sometimes users set passwords that can be easily remembered, such as a relative's name, a pet's name, or an automobile license plate number. This can make the password easily guessed. Unlike other methods of password cracking, guessing requires only physical access or an open network path to a machine running a suitable service Rainbow Attack - ✔✔a password hash table called a rainbow table is created in advance and stored into memory. This rainbow table is a table of password hashes created by hashing every possible password and variation thereof to be used in a rainbow attack to recover a plaintext password from a captured ciphertext L0phtCrack - ✔✔Helps to recover lost Microsoft Windows passwords by using dictionary attacks, hybrid attacks, rainbow tables, and brute-force attacks Ophcrack - ✔✔A Windows password cracker based on rainbow tables. GUI and runs on multiple platforms Cain & Abel - ✔✔Is a password recovery tool for Microsoft OS's. It sniffs the network, cracks encrypted passwords using dictionary, brute-force, and cryptanalysis attacks. It covers some security aspects/weaknesses present in a protocol's standards, caching mechanisms, and authentication methods. This offers a simplified recovery of passwords and credentials from various sources. It consists of an Arp Poison Routing (APR) that enables sniffing on switched LANs and man-in-the-middle attacks. The sniffer in this tool is also capable of analyzing encrypted protocols, such as HTTP and SSH-1, and contains filters to capture credentials from a wide range of authentication mechanisms

RainbowCrack - ✔✔A hash cracker. It uses a time-memory tradeoff algorithm to crack hashes. It pre-computes all possible plaintext- ciphertext pairs in advance and stores them in the "rainbow table" file PWdump7 - ✔✔An application that dumps the password hashes (OWFs) from NT's SAM database. It extracts LM and NTLM password hashes of local user accounts from the SAM database Fgdump - ✔✔Basically, a utility for dumping passwords on Windows NT/2000/XP/2003/Vista machines Bypass/reset BIOS password - ✔✔- manufacturer's backdoor password

  • password-cracking software (CmosPwd, DaveGrohl)
  • reset CMOS or remove battery
  • professional service - keyboard buffer overload Tools to Reset Admin Passwords - ✔✔Active@ Password changer, Windows Recovery Bootdisk, Windows Password Recovery Lastic Application Password Cracking - ✔✔Passware Kit, SmartKey, Advanced Office Password Recovery (all versions of Office), Office password recovery PDF password recovery - ✔✔PDF Password recovery, PDF Password Genius, SmartKey, Tenorshare, Guaranteed Steganography - ✔✔The art of hidden writing, has been in use for centuries. It involves embedding a hidden message in some transport or carrier medium and mathematicians, military personnel, and scientists have been using it Steganalysis - ✔✔The process of discovering the existence of the hidden information within a cover medium, it is the reverse process of steganography Steganalysis tools - ✔✔Gargoyle, StegAlyzerAS/RTS, StegExpose, StegAlyzerSS, Steganography Studio, Virtual Steganographic Lab (VSL), ImgStegano Buffer overflow attack - ✔✔attackers use this attack in order to inject and run code in the address space of a running program, thereby successfully altering the victim program's behavior Anti-forensics techniques include - ✔✔file deletion, password protection, steganography, trail obfuscation, artifact wiping, overwriting data/metadata, encryption, program packers, rootkits, exploiting forensics tool bugs,

etc Strictly implementing countermeasures against anti-forensics - ✔✔may enable an investigator to successfully deal with a case System Time - ✔✔The first step while investigating an incident is the collection of this Logged-on Users - ✔✔The next step after collecting system time is to determine who was and who currently is on a system Some of the tools and commands used to determine logged-on users - ✔✔PsLoggedOn net sessions LogonSessions PsLoggedOn - ✔✔displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one net sessions - ✔✔displays information about all logged in sessions of the local computer LogonSessions - ✔✔It lists the currently active logged-on sessions and, if you specify the - p option, it can provide you the information of processes running in each session Open Files - ✔✔Files that are currently in use, they are opened within the operating system The following applications let you gather information on open files - ✔✔net file PsFile Openfiles net file - ✔✔displays the names of all open shared files on a server and the number of file locks, if any, on each file. You can also close files and remove file locks PsFile - ✔✔a command-line utility that can retrieve the list of remotely opened files on a system and allows investigator to close open files Openfiles - ✔✔This command queries or displays open files and also queries, displays, or disconnects files opened by network users

Network Information - ✔✔Nbtstat NetBIOS over TCP/IP (NetBT) Nbtstat - ✔✔helps to troubleshoot NetBIOS name resolution problems. When a network is functioning normally NetBIOS over TCP/IP (NetBT) - ✔✔resolves NetBIOS names to IP addresses. - a remote name, - A IP address, - c cache, - n names, - r resolved, - S sessions Netstat tool - ✔✔helps in collecting information about network connections operative in a Windows system The most common way to run Netstat is with - ✔✔the - ano switches, these switches tell the program to display the TCP and UDP network connections, listening ports, and the identifiers of the processes (PIDs). - r routing table, - e ethernet stats, - p Protocol Process Information Collecting Volatile Information: Information to collect - ✔✔System Time Logged-on Users Open Files Network Information Network Connections Process Information Process to Port Mapping Process Memory Network Status Print Spool Files Other Information Syntax: netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval] - ✔✔-a: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening. - e: Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with - s. - n: Displays active TCP connections, however, addresses and port numbers are expressed numerically, and no attempt is made to determine names. - o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with - a, - n, and - p.

  • p: Protocol: Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with - s to display statistics by protocol, Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6. - s: Displays statistics by the protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The - p parameter can be used to specify a set of protocols. - r: Displays the contents of the IP routing table. This is equivalent to the route print command NETSTAT - ✔✔an to look for suspicious connections AND - ano for also Process ID Tasklist tool - ✔✔displays the list of applications and services along with the Process IDs (PID) for all tasks that running on either a local or a remotely connected computer

Pslist.exe - ✔✔displays basic information about the already running processes on a system, including the amount of time each process has been running. - x details about threads and memory, - t task tree, - d detail, - m memory, - e exact match for process name ListDLLs - ✔✔reports DLLs loaded into processes. Process name, Pid, Dll name, - r relocated, - u unsigned, - v version Handle - ✔✔displays information about open handles for any process. - a all types, - c close, - l sizes, - y no prompt,

  • s print count, - u username, - p processes, name Process Memory ProcDump - ✔✔monitor applications for CPU spikes and generating crash dumps during a spike so that an administrator or developer can determine the cause of the spike Process Dumper (PD) - ✔✔forensically dumps the memory of a running process Process Explorer - ✔✔shows the information about the handles and DLLs of the processes which have been opened or loaded PMDump - ✔✔a tool that lets you dump the memory contents of a process to a file without stopping the process. This tool is highly useful in forensic investigations Ipconfig - ✔✔Displays IP/MAC information about the interfaces on the system Print Spool Files - ✔✔These can be found at c:\windows\system32\spool\Printers Other volatile Information to collect - ✔✔Clipboard Contents, Service/Driver Information, Command History, Mapped Drive and Shares The system stores the information about shared files and folders in the following registry root key: - ✔✔HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Shares Important Registry Entries: - ✔✔ClearPageFileAtShutdown DisableLastAccess

ClearPageFileAtShutdown - ✔✔Will clear the page file at system shutdown; possibly deleting valuable data DisableLastAccess - ✔✔- Used to disable the updating of last access time on files

  • Can invoke using the "fsutil" command AutoRuns Tool - ✔✔Used to identify tasks or programs that run at startup or on a regular schedule DevCon or Device Console - ✔✔- is a command-line tool that displays detailed information about devices on computers running Windows operating system
  • can be used to enable, disable, install, configure, and remove devices Slack space - ✔✔the space generated between the end of the file stored and the end of the disk cluster Fsutil - ✔✔performs tasks related to file allocation table (FAT) and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume Microsoft Security ID - ✔✔refers to a unique identification number that Microsoft assigns to a Windows user account for granting the user access to a particular resource PsLogList - ✔✔Allows users to login to remote systems in situations when current set of security credentials would not permit access to the Event Log. It retrieves message strings from the computer on which the event log resides. It shows the contents of the System Event Log on the local computer and allows formatting of Event Log records Extensible Storage Engine (ESE) - ✔✔- A data storage technology from MS to store and retrieve data sequential access
  • This helps the server to store various files, messages etc. and access folders, text messages, attachments, etc. for email service provision
  • These files have the extension .edb and can provide valuable case evidences in forensic investigations
  • The database is in the form of a B-Tree structure and has a hexadecimal file signature Common artifact locations of Microsoft Edge include: - ESE database - ✔✔\Users \username\AppData\Local\Packages \Microsoft.MicrosoftEdge_xxxxx\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxx xx\D BStore\spartan.eb

Common artifact locations of Microsoft Edge include: - Edge cached files location - ✔✔\Users \user_name\AppData\Local\Packages \Microsoft.MicrosoftEdge_xxxx\AC#!001\MicrosoftEdge\Cache
Common artifact locations of Microsoft Edge include: - Edge last active browsing session data location: - ✔✔\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\MicrosoftE dge\User
Default\ Recovery\Active
Edge stores history records, Cookies, HTTP POST request header packets and downloads in: - ✔✔\Users \user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat If the last browsing session open was in PrivacIE mode then the browser stores these records in:

✔✔\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\MicrosoftE dge\User
Default\Recovery\Active{browsing-session-ID}.dat